From psirt@cisco.com Thu Aug 3 22:08:52 2000 From: Cisco Systems Product Security Incident Response Team To: cust-security-announce@cisco.com Cc: psirt@cisco.com Date: Thu, 03 Aug 2000 11:00:00 -0400 (EDT) Subject: Cisco Security Advisory: Possible Access Control Bypass and Denial of Service in Gigabit Switch Routers Using Gigabit Ethernet or Fast Ethernet Cards -----BEGIN PGP SIGNED MESSAGE----- Cisco Security Advisory Possible Access Control Bypass and Denial of Service in Gigabit Switch Routers Using Gigabit Ethernet or Fast Ethernet Cards Revision 1.0 For Public Release 2000 August 03 at 11:00 AM US/Eastern (UTC+0400) _________________________________________________________________ Summary A defect in Cisco IOS(tm) Software running on all models of Gigabit Switch Routers (GSRs) configured with Gigabit Ethernet or Fast Ethernet cards may cause packets to be forwarded without correctly evaluating configured access control lists (ACLs). In addition to circumventing the access control lists, it is possible to stop an interface from forwarding any packets, thus causing a denial of service. Only the particular combination of equipment described in this notice is vulnerable. No other combinations of routers and cards are vulnerable. Network topologies that include a large flat/bridged network may be more susceptible to this vulnerability than some other topologies. There is no workaround. Customers are urged to upgrade to unaffected versions of software as soon as possible. This vulnerability is present in all Cisco IOS Software releases for the GSR starting with release 11.2(15)GS1A. Versions of Cisco IOS Software containing the repair for this defect are listed in the section Software Versions and Fixes below. This defect is documented as Cisco bug ID CSCdp35794. The complete advisory is available at http://www.cisco.com/warp/public/707/gsraclbypassdos-pub.shtml. Affected Products This vulnerability affects only Gigabit Ethernet and Fast Ethernet cards that are installed in Gigabit Switched Routers. Gigabit Switched Routers with other cards are not susceptible to this vulnerability. Similary, Gigabit Ethernet and Fast Ethernet cards that are installed in other router models are not susceptible to this vulnerability. Specifically, the RSP/7200 series routers are not affected. Details When access lists are used on a GSR with Gigabit Ethernet or Fast Ethernet cards installed and configured, line card failures may occur that require a reset of the affected card and internal queuing data structures may be corrupted. The problem is due to differences in the optimized handling of certain types of packets from shared media that directly affects the evaluation of access control lists on Gigabit Ethernet and Fast Ethernet interfaces. The problem is more likely to occur on a large shared or bridged Ethernet segment, and is more evident with the use of compiled access control lists (also known as Turbo ACLs) than with other access control lists. The problem cannot occur unless access control lists are configured on the affected interfaces. This defect has been assigned Cisco bug ID CSCdp35794. If you are a registered CCO user and you have logged in, you can view bug details. Impact Under certain conditions it is possible to circumvent compiled access control lists with a moderate probability of success and circumvent extended access control lists with a low probability of success. A possible side effect is that the attacked interface may stop forwarding packets without logging an error, requiring the card to be reset via software. Due to the nature of this vulnerability, it is difficult to predict the exact results of any such exploitation. Network topologies that include a large flat/bridged network (several hundred hosts or more) may be more susceptible to this vulnerability than some other topologies. However, by sending a large number of specific packets, it may be possible to trigger this vulnerability on any topology. Software Versions and Fixes This vulnerability affects Gigabit Ethernet and Fast Ethernet cards on the following Gigabit Switch Routers: * 12008 Gigabit Switch Router * 12012 Gigabit Switch Router * 12016 Gigabit Switch Router This vulnerability affects all releases of Cisco GSR IOS Software starting with 11.2(15)GS1A. This vulnerability has been corrected in the following IOS releases: * 11.2(19)GS0.2 * 12.0(8.0.2)S * 12.0(7)S1 * 12.0(7.4)S * 12.0(8.3)SC * 12.0(7)SC All subsequent releases of Cisco IOS Software for the GSR incorporate this fix. To determine if your system is affected by this problem, execute the show version command while in global configuration mode. If the output does not contain the words "GS Software" in the banner and "FastEthernet" or "GigabitEthernet" in the list of installed cards, then the system is not affected by the vulnerability described in this advisory. If show version displays "GS Software" and also reports that "FastEthernet" or "GigabitEthernet" cards are installed in the system, then the current IOS release number should be compared to those listed above to determine if an upgrade is necessary. Obtaining Fixed Software Cisco is offering free software upgrades to remedy this vulnerability for all affected customers. Customers may install only the feature sets they have purchased. Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained via the Software Center on Cisco's Worldwide Web site at http://www.cisco.com/. Customers without contracts should get their upgrades by contacting the Cisco Technical Assistance Center (TAC) as follows: * 800 553 2447 (toll-free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * E-mail: tac@cisco.com Additional contact information for the TAC is on-line at http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml, including instructions and e-mail addresses for use by non-English speakers. Give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades. You will obtain faster results by directly contacting the TAC. Workarounds There is no known configuration workaround. Customers are urged to upgrade affected platforms to a fixed software version as soon as possible. Affected line cards that have stopped forwarding packets can be reset by using the command microcode reload [optional-slot-number] while in global configuration mode. Exploitation and Public Announcements The Cisco PSIRT has received no reports of malicious exploitation of this vulnerability. Status of This Notice: FINAL This is an final notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this notice unless there is some material change in the facts. Should there be a significant change in the facts, Cisco may update this notice. Distribution This notice is posted at http://www.cisco.com/warp/public/707/gsraclbypassdos-pub.shtml. In addition to Worldwide Web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients: * cust-security-announce@cisco.com * first-teams@first.org (includes CERT/CC) * bugtraq@securityfocus.com * firewalls@lists.gnac.net * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * comp.dcom.sys.cisco * Various internal Cisco mailing lists Future updates of this notice, if any, will be placed on Cisco's Worldwide Web server, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the URL given above for any updates. Revision History Revision 1.0 2000-08-03 Initial public release. Cisco Product Security Incident Assistance Process The web page at http://www.cisco.com/warp/public/707/sec_incident_response.shtml describes how to report security vulnerabilities in Cisco products, obtain assistance with security incidents, and register to receive product security information from Cisco Systems, Inc., including instructions for press inquiries regarding Cisco Security Advisories and notices. This advisory is Cisco's official public statement regarding this vulnerability. _________________________________________________________________ This notice is copyright 2000 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified and include all date and version information. _________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.2 iQEVAwUBOYmLIGiN3BRdFxkbAQFwMQf+KbqZjEyWuPFx9WagNARfE09+eLx3jGKa pb03YDM5Le2roBGNPD6rwIAGyy/nbg4WafHTKwLwmoopMeKhub72Gk/CvzkfLzZ+ LhUcYtXTyZ/11Z7p1QhPvqoP96Q6KqDYtge+A9OOZGooH7IY9Z3kPBIeDKQfekin JbSMF+vxMWw8BY9gQOa3hbBjPyNTMNpEeVJipZdu/YS5G5ztjXcY1lcGQxUDXnY+ x+XQlZqsgsBx7/EIqSBZmykW3nKk1QMHNPgIs2q+2x4SB5bBrTM2Vx3Nlh1zDzun lL3Btgs07nHYssmo8MtKgarvgqhF+Ee7GqAP0h69Nu7iyGGNgTALZw== =OQyD -----END PGP SIGNATURE----- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 6.5.2 mQENAzhQ8qUCYQEIALshjezuQIzQT3zZrKrQit2HTNarH8iba6HLdN2niIDGW9LN ShhH0kPdD57EeOAkO2ccNvgY4HvJESgykBS6z86HULeiSVMv89TfQsKOv34cczYm BeYtcfbgkm4MM/37UjFxUGAIoOxVX/bzya/tegiYPAaTsOcaonxqaOds/kLIR32S /+3vcV6tu9QiiLwdKAGSN+KkrREP3qTFzKxmus1DKFz5o03yDMtYGplRQ62iae21 I8NbQtVXvARN5bdG5+4KaqI9hsT/tz8dh8OgapdaD6ht0qkY8J2DGIa1xnai4Vbe hoz7Vozf65LErlbRWBVAn6XBD3qtaI3cFF0XGRsABRG0R0Npc2NvIFN5c3RlbXMg UHJvZHVjdCBTZWN1cml0eSBJbmNpZGVudCBSZXNwb25zZSBUZWFtIDxwc2lydEBj aXNjby5jb20+iQEVAwUQOFDypWiN3BRdFxkbAQEVgAf/Qins/ms1PNhD4ucJyGCY V60wz6hQX5FXCKxewSxPOMOxkbQeiNxqENYldTwH6RZ2eVXYJX0PKZjhUmpQCwg7 aYQUv8GeROxQYlJx/j2FKmQcjIWLHQZImb7FxTFt0rgcCJI+ChGu8U3IqOmyeBmE 44qXxU/IGhJaXj8jIkSUxeKFQtI9JSxsfNiqX8itjeJlYTF8Y1MnTiuhikM3y7JM sQFzrKSzhzfPcc3RqDAtbwYtvmb+6/9IGkHks2hox5ltJZ5v2c4lbReEpmLweDSf enojuPPoPug8zRS/xa1uHzSZ3XKQwLWfjwZwGMzTTHOAiMWo6wlbhNnR4LlN/upv uIkARgQQEQIABgUCOFDzRAAKCRBwkpqcbcMYIVfZAJ4z5xm+IJuj+byK+gNsNY7X FK4THgCfS0n95c/Gxvu9tOvRFH+uwQh2dgGJAHUDBRA4UPNs3nAfbKMmz4kBAejY AvoD771l0JZWwf5XmoCWLL0ChzbdFJqTsnd2zG4jGr1J91dkES4YDir4itqyWVRA VFzalYCYouNPhOJZKLXUphQnAQ7x74cDznEw+MYT9eavbYcSeKkBZNEdjE3vf67x 4fSJAJUDBRA4UP5XwAV6rQ+eJbkBAX2CA/9GPlvk9EWTS54M6uTJCtC/6Bcx7phz InAUYEX7gjlBmNF7MdIy1UdUsNL2rTdR26peB6VwzT6uXRG+RbhpGVvfHdEmJ2ec brKaUmFisrVWB7Ho9NOo72xTru7GeJxGHb0xRcsDMCIYfyOCMvbr6lxMMAcD9zx3 nMx4VDJ7RfSStrRQQ2lzY28gU3lzdGVtcyBQcm9kdWN0IFNlY3VyaXR5IEluY2lk ZW50IFJlc3BvbnNlIFRlYW0gPHNlY3VyaXR5LWFsZXJ0QGNpc2NvLmNvbT6JARUD BRA4UPL6aI3cFF0XGRsBAdYKCACIhd2yDPXITE2pQzukNo+jxrMeSnqvl4DUoP6f Ai64KLGYAqo+ZWuyFd1JLT5CtsaWuLXEBvt/9SevI/qbN18c9eSBko3wNcO49C+T s0uttahHplxMgArqTK8y1u35C7QUz0T9xRLPaKvXYARw3/wFdaPQYehrVWBThbxk KxJuamT3OT5uB7NgtkHK1nHpxuATj39EnvZSUTWe45ZBVulduGMG7grYRCQJ1jrG 2Ei0FO/adFKZU6DxSygwjWCM9Fdh/dncs00G7tXW8fpfIRmdsVZuYIQ7HPkoiUJF 87Hw+mdkZHiTAhPMuNO9AamZsIF65QcD4vera/zOXwU+MUcaiQBGBBARAgAGBQI4 UPNYAAoJEHCSmpxtwxghi9gAn12vk1AazXrc9GVCdXC5oFpi1TmlAJ9BsHkWwGUr mLSAE3OE70LjxHHhDokAdQMFEDhQ84DecB9soybPiQEB2NoC/jSF5glFC5jfYjAp VMiZHgGZDA49lcf/VZDz7ZeJAkOtZZHzlycVAlCukLl0sXfIhgygmWj6WQPPIF2z COEjVgR625CRbYhrqC0H9ieWYJ3fu7GILoEb200GbSgUZifvq4kAlQMFEDhQ/mvA BXqtD54luQEBWzAD/31F6aic5ZV/u6HY/ChORildURolK8LfNTwwsmwN32ZcJOUb gSsU5cafE5XGaWvgVrPVKwAH9DFcviElBK+n7fhw+SRS5x+Ar8tZMKEgP5I9yIZX DHwNZmFdpmk95xoK4TvCd3iyj23HcaoAGroRtuVrv5UtBG9P+FDMxScgO/cR =sJ3p -----END PGP PUBLIC KEY BLOCK-----